CVE-2026-35448 Overview
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.
Critical Impact
Unauthenticated attackers can enumerate and retrieve payment order information for any Bitcoin address used on the AVideo platform, potentially exposing sensitive transaction data and user payment details.
Affected Products
- WWBN AVideo version 26.0 and prior
- BlockonomicsYPT plugin for AVideo
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35448 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35448
Vulnerability Analysis
This vulnerability represents a Missing Authorization (CWE-862) flaw in the BlockonomicsYPT plugin for the WWBN AVideo platform. The check.php endpoint was implemented to serve as a helper for the authenticated invoice.php page, providing real-time payment status updates via AJAX polling. However, the developers failed to implement proper access control mechanisms on this endpoint.
The core issue is that check.php accepts Bitcoin address parameters and returns associated payment order data without verifying whether the requesting user has legitimate access to view that information. Since Bitcoin addresses are inherently public (visible on the blockchain), any attacker can systematically query the endpoint with known addresses to extract payment records.
This design flaw allows information disclosure through a broken access control pattern where a secondary endpoint inherits no security properties from its parent context.
Root Cause
The root cause is a missing authorization check in the check.php endpoint of the BlockonomicsYPT plugin. While the parent invoice.php page implements authentication controls, the AJAX helper endpoint was developed without independent access control validation. This represents a common anti-pattern where developers assume that backend endpoints will only be called from authenticated frontend pages, failing to account for direct endpoint access by malicious actors.
Attack Vector
The attack exploits the network-accessible check.php endpoint by submitting arbitrary Bitcoin addresses as query parameters. An attacker can:
- Obtain Bitcoin addresses from the public blockchain or through other reconnaissance methods
- Query the vulnerable endpoint directly without authentication
- Retrieve payment order data associated with each address
- Enumerate multiple addresses to build a comprehensive dataset of platform payment activity
The vulnerability can be exploited by sending crafted HTTP requests directly to the check.php endpoint with Bitcoin address parameters. Since the endpoint performs no authentication or authorization checks, it returns payment order data for any valid Bitcoin address that has been used on the platform. Attackers can automate this process to systematically query addresses obtained from the public Bitcoin blockchain. For technical details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35448
Indicators of Compromise
- Unusual volume of requests to the /plugin/BlockonomicsYPT/check.php endpoint
- Requests to check.php from unauthenticated sessions or unknown IP addresses
- Sequential or automated querying patterns targeting the BlockonomicsYPT plugin endpoints
- Access logs showing check.php requests without corresponding invoice.php session activity
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and rate-limit access to the check.php endpoint
- Configure access logging to capture all requests to BlockonomicsYPT plugin endpoints
- Deploy anomaly detection for unusual access patterns to payment-related endpoints
- Monitor for requests containing multiple different Bitcoin address parameters in short timeframes
Monitoring Recommendations
- Enable detailed access logging for all AVideo plugin endpoints
- Set up alerts for unauthenticated requests to sensitive payment processing endpoints
- Implement rate limiting on the BlockonomicsYPT plugin endpoints
- Review access logs regularly for reconnaissance or data exfiltration patterns
How to Mitigate CVE-2026-35448
Immediate Actions Required
- Restrict access to the /plugin/BlockonomicsYPT/check.php endpoint at the web server level
- Implement authentication requirements for all BlockonomicsYPT plugin endpoints
- Review and audit access to other plugin endpoints for similar authorization bypass vulnerabilities
- Consider temporarily disabling the BlockonomicsYPT plugin until a patch is available
Patch Information
At the time of publication, no official patch has been released by the vendor. Organizations should monitor the GitHub Security Advisory for updates regarding fixes. The vulnerability affects version 26.0 and prior versions of WWBN AVideo with the BlockonomicsYPT plugin enabled.
Workarounds
- Disable the BlockonomicsYPT plugin if Bitcoin payment functionality is not required
- Implement web server access controls (e.g., IP whitelisting) to restrict access to the check.php endpoint
- Add authentication middleware at the reverse proxy or web server level for plugin endpoints
- Deploy a WAF rule to block unauthenticated requests to /plugin/BlockonomicsYPT/check.php
# Example nginx configuration to restrict access to the vulnerable endpoint
location /plugin/BlockonomicsYPT/check.php {
# Deny all access - remove or modify once patched
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
